Republicans offer hands-off approach to cybersecurity

Senate Republicans, led by Sen. John McCain (R-Ariz.), on March 1 unveiled a new cybersecurity bill that puts the onus on industry to protect networks and offers no new mandates or funding.

The Republicans’ bill is an answer to another, bipartisan bill offered up on Feb. 14that they believe to be overreaching in authority. That bill, the Cybersecurity Act of 2012, would expand the authority of the Homeland Security Department, implement new regulations to protect critical infrastructure and create a new National Center for Cybersecurity and Communications.

“The only government actions allowed by our bill are to get information voluntarily from the private sector and to share information back,” McCain said of his bill, dubbed the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology (SECURE IT) Act. “We have no government monitoring, no government takeover of the Internet and no government intrusions.”

The SECURE IT Act instead focuses on voluntary sharing of cyber-threat information between industries and government, including by easing anti-trust laws that restrict information-sharing between private companies and offering legal protection to companies that take proactive measures to protect their networks. It also aims to reform federal cybersecurity standards.

The new bill, which relies on existing federal cybersecurity organizations to coordinate cybersecurity action rather than establishing new centers, additionally toughens punishment for cyber criminals, whereas the Feb. 14 bill does not.

“Rather than arming Homeland Security with expansive new regulatory authority over every sector of our economy, the SECURE IT cyber bill we’ve introduced today emphasizes a partnership approach between the government and private entities,” Sen. Lisa Murkowski (R-Alaska) said in a press briefing during which the Republican bill was introduced.

The older, bipartisan-backed bill included measures that would require upgrades to critical infrastructure; in some cases it would designate certain private networks as critical infrastructure and compel them to be secured according to federal standards.

A handful of industry groups have already issued statements in support of the SECURE IT Act.

“We were pleased to see the inclusion of enhanced penalties for cyber criminals. As much as we strive to prevent attacks, there must also be consequences for those that are behind them,” TechAmerica’s acting president & CEO Dan Varroney said in a released statement, which also lauded Congress’ efforts in boosting national cybersecurity. “It is very encouraging to see a focus on cybersecurity by so many members of the Senate, and we urge the authors of both bills to work together to create the best possible, bipartisan framework to enhance our nation’s cybersecurity.”

However, some industry experts had already expressed concerns that the earlier Cybersecurity Act didn’t go far enough – and the new bill stops far short of the measures included in the earlier legislation, a fact the Republicans highlighted in introducing SECURE IT.

“As currently drafted [the Cybersecurity Act of 2012] includes significant loopholes that would keep our nation at risk,” Jim Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, said at a Feb. 16 Senate hearing. “Some of these loopholes are intended to accommodate industry concerns. These industry concerns are understandable and the bill makes reasonable efforts to accommodate them. However, in a few instances, the language to assuage industry concerns goes too far and ends up putting national security at risk.”

OPM is partnering with CSID to try to manage the fallout from a massive breach of some 4 million federal personnel records.

Reader comments

Sun, Mar 4, 2012

how winsome it is then that the Federal government claims COTS lies at the heart of its IT/IA acquisition strategy!!!

Sun, Mar 4, 2012

so vic....you honestly think a DHS with prescriptive powers (a DHS that already owns telecommunications and Federal Cyber Security in addition to CIP)...a DHS that runs all those invasive airport scanners...is the way to go?
your hyperbole is off the mark. McCain understands the magnitude of the problem...we all do. the issue is what the solution should be, who pays for it, and how much liberty is sacrificed in the process. the last matters...a lot. and you're wrong in implying there is no accountability....go research how HHS is bounty hunting based on HIPPA and Stimulus Act incentives.
btw...while emerging NIST and other Federal Agency IA guidance is impressive......please note that execution is decentralized.

Fri, Mar 2, 2012

The SECURE IT bill does not address the problem. It's a knee-jerk reflex reaction. It's not even worth reporting on, except as an example of how Congress knows very little.

Fri, Mar 2, 2012

If everything is "voluntary" in SECURE IT, what's the purpose/value? Most voluntary relationships of this nature are administered by "user group" organizations (of which there are already many with private industry and govt participation/collaboration).

Fri, Mar 2, 2012
vic

This new position by McCain and others evidences a COMPLETE lack of understanding of the MAGNITUDE of the problem and the CONTINUING exploits of information technology and the systems that SAFE IT is critical to.
McCain does not seem to understand that NO ONE will fix risks that AMERICANS are COLLECTIVELY subject to UNLESS the currently IRRESPONSIBLE parties are HELD RESPONSIBLE.
If you doubt this, you aren't paying ANY attention and probably DON'T understand.
Note: COnsider what China is doing in this space: 1) aggressively SECURING their networks; 2) Aggressively exploiting ours.
Hello???